What avc's are you seeing?  What was the policy change that you did to make it work?

I do not see any avc's reported in the /var/log/secure file. I tried disabling
selinux protection for dovecot daemon but that made no difference. I did not see
any other obvious change to make. If I change selinux to permissive it works.

Here is what I find in /var/log/maillog:
Jan 16 20:01:32 douglas dovecot: imap-login: Aborted login: rip=::ffff:10.2.2.7,
 lip=::ffff:10.2.2.7, secured
Jan 16 20:02:22 douglas dovecot: imap-login: Login: user=<dhighley>, method=plai
n, rip=::ffff:10.2.2.7, lip=::ffff:10.2.2.7, secured

For history purposes, I ran into this in core 5 as well.

Look for avc messages in /var/log/audit/audit.log and /var/log/messages

/var/log/audit/audit.log:

type=USER_ACCT msg=audit(1168811105.322:310): user pid=6246 uid=0 auid=429496729
5 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=dhighley : 
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:10.2.2.7, addr=::ffff:1
0.2.2.7, terminal=dovecot res=success)'
type=AVC msg=audit(1168811105.370:311): avc:  denied  { create } for  pid=6249 c
omm="imap" name=".imap" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_
u:object_r:root_t:s0 tclass=dir
type=SYSCALL msg=audit(1168811105.370:311): arch=c000003e syscall=83 success=no 
exit=-13 a0=69e1f0 a1=1f8 a2=19 a3=69e1f0 items=0 ppid=3009 pid=6249 auid=429496
7295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=
1000 tty=(none) comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system
_r:dovecot_t:s0 key=(null)


/var/log/messages:

Jan 13 11:36:36 douglas kernel: audit(1168716996.619:44): avc:  denied  { link }
 for  pid=14806 comm="imap" name=".temp.douglas.14806.1a87a8e646cb9863" dev=dm-0
 ino=12487157 scontext=user_u:system_r:dovecot_t:s0 tcontext=user_u:object_r:roo
t_t:s0 tclass=file
Jan 13 11:36:36 douglas kernel: audit(1168716996.619:45): avc:  denied  { unlink
 } for  pid=14806 comm="imap" name=".temp.douglas.14806.1a87a8e646cb9863" dev=dm
-0 ino=12487157 scontext=user_u:system_r:dovecot_t:s0 tcontext=user_u:object_r:r
oot_t:s0 tclass=file
Jan 13 11:36:36 douglas kernel: audit(1168716996.639:46): avc:  denied  { create
 } for  pid=14806 comm="imap" name=".imap" scontext=user_u:system_r:dovecot_t:s0
 tcontext=user_u:object_r:root_t:s0 tclass=dir

According to those AVC messages you are trying to create .imap and .temp.douglas
in directories labeled root_t.   Is this a new directory under /?

I checked and those directories do not exist. So I postulate that this is
another program that violates sound practices of where it should create
temporary file structures. Should this bug be moved to a dovecot bug?

Reassiging to Dovecot.

Why is Dovecot trying to create these files under /?  Or is there some directory
that it tries to create them in?

What configuration do you use?

Look at the section "Detecting what to use" in
/usr/share/doc/dovecot-1.0/mail-storages.txt -- it may explain the problem.

I couldn't reproduce the problem though. I was trying very hard to make selinux
actually log something, but it did not. I wonder how lucky one must be for it to
log these errors. Dan told me to turn off "allow_daemons_dump_core" and it still
didn't make it.

I guess switching from Solaris to Linux and from UW IMAP to dovecot was not as
transparent as it appeared to be. Since it worked until Selinux came about I
just assumed, fell into the unconsious incompetant realm, that dovecot was
pretty simple once ssl certificates were constructed. Reading the above document
gave me hints, but the real enlightening information is in /etc/dovecot which I
had never looked at.:-( I find dovecot now to be vastly configurable and I need
to address its configuration. Looks like this issue is where the dynamic
generated indexes are created, which can be in memory. Thirty years of
spelunking without a latern makes me cautious but I still occassionaly fall into
the unconsious incompetant abyss. I'm closing this call and thanks for the support.

After changing the dovecot /etc/dovecot.conf file to use in memory indexes it
only ran to the next file issue. It was able to create the file ~/Mail/Trash but
then it gets a permission error trying to access that file.
-rw------- 1 dhighley staff       0 Jan 19 21:52 Trash

I've Googled the net and gone to the dovecot wiki site but I find no
documentation on how to configure so it will work with selinux.

Could you post the log entries related to this?

From /var/log/maillog:
Jan 19 21:31:12 douglas dovecot: imap-login: Login: user=<dhighley>, method=plai
n, rip=::ffff:10.2.2.7, lip=::ffff:10.2.2.7, TLS
Jan 19 21:31:28 douglas dovecot: imap-login: Login: user=<dhighley>, method=plai
n, rip=::ffff:10.2.2.7, lip=::ffff:10.2.2.7, TLS
Jan 19 21:31:28 douglas dovecot: IMAP(dhighley): open() failed with mbox file /h
ome/dhighley/Mail/Trash: Permission denied

From /var/log/audit/audit.log:
type=USER_ACCT msg=audit(1169271647.218:9491): user pid=21071 uid=0 auid=1000 su
bj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=dhighley : exe="/
usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:10.2.2.7, addr=::ffff:10.2.2.
7, terminal=dovecot res=success)'
type=AVC msg=audit(1169271647.231:9492): avc:  denied  { lock } for  pid=21072 c
omm="imap" name="Trash" dev=dm-0 ino=12487136 scontext=user_u:system_r:dovecot_t
:s0 tcontext=user_u:object_r:root_t:s0 tclass=file
type=SYSCALL msg=audit(1169271647.231:9492): arch=c000003e syscall=72 success=ye
s exit=0 a0=8 a1=7 a2=7ffff5432890 a3=0 items=0 ppid=19159 pid=21072 auid=1000 u
id=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 t
ty=(none) comm="imap" exe="/usr/libexec/dovecot/imap" subj=user_u:system_r:dovec
ot_t:s0 key=(null)

One more note, I did try disabling selinux protection of dovecot but it had no
effect.

This seems like your selinux is somewhat broken. I can't reproduce it in any way
(but I believe my selinux is broken as well). It is a very nonstandard behavior
we would have noticed if it was caused by a bug, so I believe there has to be
something wrong with your system.

Daniel, any tips on this?

This is a new install of Fedora core 6. But I had the same issue with Fedora
core 5 which was also a new install. From my perspective it has never worked.

So with your configuration you want the dovecot server to store files in root's
Homedir.  Is this a standard behavior?  IE Is it expected that Dovecot writes to
home directories?  Or should it just write to /root?  Or is this a customization
that you added?

You can use audit2allow -M mydovecot < /var/log/audit/audit.log  to create 
local policy to allow dovecot to run on your system. 

No, I do not want files to be stored in the root directory. After configuring
dovecot to use momory cached indexs I do not believe it is trying to write in
the root directory. I see that it has trouble with /home/dhighley/Mail/Trash
from the log files above which is in the user's mail directory. Which it
created, because I removed it before retesting and after creation it was some
how not able to access the file as I understand it from looking at the log files.

Where are we on this issue? I made a configuration change so that dovecot does
not create index files at "/". But it still needs to be able to write to the
users Mail folder directory. So far I have been able to get SeLinux and iptables
to work with all my systems except for E-mail.

The question I have, is having dovecot store messages in users home directories
a normal behavior for dovecot.  We can add a boolean to policy to allow it.  But
the goal of most of selinux policy is to prevent Network Facing daemons from
read/writing users homedirectories.

I'm not able to think of any E-mail application that does not write files in the
users home directory tree. Elm, mutt, dovecot, thunderbird, all want to be able
to save E-mails to files in the users home directory structure.

dovecot is a server, thunderbird, elm mutt are all clients I believe.

What about if they are all running on the same system. Another E-mail related
policy change is running squirrel mail on an outside server requires changing
the policy rule to allow HTTPD scripts and modules to connect to the network.

So here is the bigger picture. You have a web server on the perimeter with
squirrel mail for roaming E-mail access which connects to an inside E-mail
server via dovecot. The user when inside can use either squirrel mail via the
web server or thunderbird from any system including the inside E-mail server
since it is just another server system. All the inside E-mail connections are
IMAP E-mail server connections.

E-mail is the hardest service to provide and the most difficult to debug when
something is misconfigured.

What change did you need to make to http to allow squirrelmail to work?

You understand mail servers a lot better then I do.  My only goal is to limit
the vulnerability of a system daemon being able to get access to users home
dirs.  If it is required and usual for dovecot to store mail directly in users
home directories rather then in /var/spool/mail, then I can add policy and a
boolean to allow it.

/var/spool/mail usually contains only the user's INBOX, and even that only when
using mbox format. With IMAP there are other mailboxes as well and they're
typically stored in ~/mail. If maildir is used, usually everything is stored in
~/Maildir.

Maybe the policy could allow access to ~/mail, ~/Mail and ~/Maildir?

Ok, I reread the policy and it looks like dovecot should be allowed to use these
directories.

What avc messages are you seeing now?

What policy do you have installed?

rpm -q selinux-policy

Created attachment 148169 [details]
Audit log

I have attached the audit log from the E-mail server. You will find that there
are many denied entries associated with E-mail; spamd, pyzor, procmail, and
dovecot. I'm now using todays policy update:
selinux-policy-2.4.6-37.fc6

Running this log file under audit2allow reveals:


#============= dovecot_t ==============
allow dovecot_t etc_runtime_t : file write;
> This is strange it looks like dovecot is using files under /etc to store
state.  Draft, Sent?
allow dovecot_t root_t : file lock;
> We discussed above that using / for these files is a bad idea.

#============= procmail_t ==============
allow procmail_t etc_runtime_t : file append;
> Why is spamlog stored under /etc?
allow procmail_t root_t : dir { write remove_name add_name };
allow procmail_t root_t : file { write getattr link lock create unlink append };
> Using / is bad

#============= pyzor_t ==============
allow pyzor_t autofs_t : dir search;
> Should be dontaudited
allow pyzor_t etc_runtime_t : file { read getattr };
> Is the servers file something created by init scripts?
allow pyzor_t root_t : file { read getattr };
> See comment about / above.
allow pyzor_t tmp_t : dir { write remove_name search add_name };
allow pyzor_t tmp_t : file { write read create unlink getattr };
> I have added this to policy

#============= spamd_t ==============
allow spamd_t etc_runtime_t : file { write append };
> spamd is writing to a bunch of files under /etc razor-agent.log, auto-whitelist?

allow spamd_t pyzor_t : process signal;
> Added to policy.
allow spamd_t root_t : file { ioctl unlink link append };

How do I respond to this, I did not write the applications nor define the
defaults. I checked all the locations I know for spamassassin and dovecot
configuration files and found nothing coded to /etc. The packaging for
spamassasin  locates the run configuration files which are read from
/etc/mail/spamassassin. This should be for read only. I constantly see
applications trying to create or access stuff in /home which on any reasonable
configuration is an automount location for home directories. I continualy run a
find script to remove duplicate configuration files because the rpm packagers do
not check to see if the current file is the same as the new one they want to
create so they end up creating file.newrpm. So do you think we need to replicate
this bug report to all these applications? Does the policies allow applications
to read configuration files? Sorry for the rant.

I am looking for where these etc_runtime_t files are.

Could you execute the following:

# find /etc -context "*etc_runtime_t*"

You might also have some labeling problem on your system, 

restorecon -R -v /home 
Might clean up some  of these.

[root@douglas ~]# find /etc -context "*etc_runtime_t*"
/etc/issue
/etc/mtab
/etc/motd
/etc/blkid
/etc/blkid/blkid.tab
/etc/blkid/blkid.tab.old
/etc/X11/xorg.conf.backup-nvidia-glx
/etc/X11/xorg.conf
/etc/smartd.conf
/etc/issue.net
/etc/asound.state
/etc/modprobe.conf.backup-nvidia-glx
/etc/sysconfig/iptables-config
/etc/sysconfig/firstboot
/etc/sysconfig/hwconf
/etc/reader.conf

The following files are mistakenly labeled as etc_runtime_t.  This is what is
causing the problems.  
bayes_seen
bayes_toks
Draft
auto-whitelist
spamlog
servers
razor-agent.log

Dovecot and spamd are both trying to write to these files or a subset of them. 
If these files are in a home dir they are mislabled.

OK, since I do not know how a label gets on a new file that is an issue. I also
do not know how to change the label. I have looked at the man pages starting
with selinux but did not find this information.

Further spelunking at, http://fedora.redhat.com/docs/selinux-faq-fc5/, shows
that in Fedora core 5 you could use the chown -t option. That does not appear to
be the way to do it in Fedora core 6 as I find now -t option. Given I discover
how to label a file, what should the label be and will it stick across a file
system relabel using the default policies?

More reading seems to have found the answer. Using restore -v -R on the home
directories ~/.spamassassin ~/.razor and ~/Mail as well as fixing the file
spamlog changed the file labels. Still do not know how they got the wrong
labels. Is there a better place to learm more about selinux than the faq
location above?

danwalsh.livejournal.com  Start reading from the beginning of my blogs on
SELinux for dummies.

While the E-mail server is working we still have the following audit log
entries, do we need to submit bug reports against pyzor and procmail?

type=AVC msg=audit(1172276152.919:25664): avc:  denied  { search } for  pid=2098
0 comm="pyzor" name="/" dev=autofs ino=10947 scontext=user_u:system_r:pyzor_t:s0
 tcontext=system_u:object_r:autofs_t:s0 tclass=dir
type=SYSCALL msg=audit(1172276152.919:25664): arch=c000003e syscall=2 success=no
 exit=-13 a0=6c6280 a1=0 a2=1b6 a3=0 items=0 ppid=5095 pid=20980 auid=1000 uid=1
000 gid=0 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(non
e) comm="pyzor" exe="/usr/bin/python" subj=user_u:system_r:pyzor_t:s0 key=(null)
type=AVC msg=audit(1172276152.919:25665): avc:  denied  { search } for  pid=2098
0 comm="pyzor" name="/" dev=autofs ino=10947 scontext=user_u:system_r:pyzor_t:s0
 tcontext=system_u:object_r:autofs_t:s0 tclass=dir
type=SYSCALL msg=audit(1172276152.919:25665): arch=c000003e syscall=4 success=no
 exit=-13 a0=6c6240 a1=7fff8860d5b0 a2=7fff8860d5b0 a3=6c6240 items=0 ppid=5095
pid=20980 auid=1000 uid=1000 gid=0 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid
=1000 fsgid=1000 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=user_u:syste
m_r:pyzor_t:s0 key=(null)
type=AVC msg=audit(1172276152.919:25666): avc:  denied  { search } for  pid=2098
0 comm="pyzor" name="/" dev=autofs ino=10947 scontext=user_u:system_r:pyzor_t:s0
 tcontext=system_u:object_r:autofs_t:s0 tclass=dir
type=SYSCALL msg=audit(1172276152.919:25666): arch=c000003e syscall=83 success=n
o exit=-13 a0=6c6240 a1=1ff a2=37a8f2f4d8 a3=6c6240 items=0 ppid=5095 pid=20980
auid=1000 uid=1000 gid=0 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgi
d=1000 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=user_u:system_r:pyzor_
t:s0 key=(null)
type=AVC msg=audit(1172276154.276:25667): avc:  denied  { write } for  pid=20976
 comm="procmail" name="dhighley" dev=dm-0 ino=12485695 scontext=system_u:system_
r:procmail_t:s0 tcontext=root:object_r:root_t:s0 tclass=dir
type=SYSCALL msg=audit(1172276154.276:25667): arch=c000003e syscall=2 success=no
 exit=-13 a0=61b5e0 a1=c1 a2=124 a3=61b5e0 items=0 ppid=20973 pid=20976 auid=429
4967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=12 fsgid
=1000 tty=(none) comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:
procmail_t:s0 key=(null)

The pyzor denial I will fix in the next update to fc6.  procmail trying to write
to root_t, looks like a labeling problem or a configuration problem.  It is
trying to write to a directortory dhighley, labeled root_t, which is the default
directory of the / directory.

I just did a touch /.autorelabel and reboot. The home directories were miss
labeled. The policies are not working when the home directories are auto mounted
and the real file location is /export/home. I know I reported this as an issue
before but I could not find it using the advanced query. So I had to re-label,
restorecon -rv /home/user, to fix the labeling again.

I found the previous report.

So we can close this bug, and repopen the other problem.